capistrano-unicorn-nginx 4.2.0 → 5.0.0

Sign up to get free protection for your applications and to get access to all the features.
Files changed (7) hide show
  1. checksums.yaml +4 -4
  2. data/CHANGELOG.md +5 -0
  3. data/lib/capistrano/tasks/nginx.rake +13 -4
  4. data/lib/capistrano/unicorn_nginx/version.rb +1 -1
  5. data/lib/generators/capistrano/unicorn_nginx/templates/_default_server_directive.erb +4 -22
  6. data/lib/generators/capistrano/unicorn_nginx/templates/nginx_conf.erb +1 -7
  7. metadata +1 -1
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA1:
3
- metadata.gz: 8f0337593e08e19cab15ce29f6ccb7455e37df5e
4
- data.tar.gz: 8eba038b8b6e113d3e8be52f8838c14e3232fea4
3
+ metadata.gz: 0fa877d749e83b2c34f3b32afe592b02e64c5e2a
4
+ data.tar.gz: 548a8d063c482223211352b23f9448abc49346c8
5
5
  SHA512:
6
- metadata.gz: 207b3ae7e01925fb55b881e18188b4c8c8b939cf874d2c1b6f2228c1957f975d97d95a926e637e10bcf2b563c804492b507f5dc9691c7ac5ebfd647b61c2d636
7
- data.tar.gz: b801c70fc857c355b81444fbac9e5206719444107acf0aa0840a1bc68bd00f011c40e86885241e5b0660bc856c00f653cd84ce32d6ae87ef22063452e0c008d1
6
+ metadata.gz: 5b74ee7655764aa5b1b377fd780d62c6e08ad9a4f3b21cd1c224a81b64d114aaeaaf58c490e09fda1faca0de4f7727a55d5af2eda137449c1e147ab8b226bb19
7
+ data.tar.gz: e05853236f43bb5d13b33604f5cffc6b8dfc31af551ecc1e4c18cbb9b7d4071428cb0a9757bf8fd45487594b298af1c4eadfc2b83fdc1d002e25adbcf9143ae4
data/CHANGELOG.md CHANGED
@@ -2,6 +2,11 @@
2
2
 
3
3
  ### master
4
4
 
5
+ ### v5.0.0, 2018-02-08
6
+ - Remove `nginx_pass_ssl_client_cert` in favor of nginx_use_client_ssl
7
+ - Add `nginx_server_ssl_ports` to specify which ports nginx should listen on
8
+ - Remove `nginx_use_spdy`. Use `nginx_use_http2` instead.
9
+
5
10
  ### v4.2.0, 2018-02-08
6
11
  - Add support for client authentication using a root CA. Inspired by
7
12
  http://www.pandurang-waghulde.com/2014/06/client-side-ssl-certificate.html
data/lib/capistrano/tasks/nginx.rake CHANGED
@@ -14,10 +14,19 @@ namespace :load do
14
14
  # ssl options
15
15
  set :nginx_location, '/etc/nginx'
16
16
  set :nginx_use_ssl, false
17
- set :nginx_use_spdy, false
18
17
  set :nginx_use_http2, false
19
- # if true, passes the SSL client certificate to the application server for consumption in Ruby code
20
- set :nginx_pass_ssl_client_cert, false
18
+ # if true, verifies the client certificate, and passes a number of variables
19
+ # in the header to the application server consumption in Ruby code. These
20
+ # are:
21
+ # - X-Client-DN: the Distinguished Name of the certificate
22
+ # - X-Client-Serial: the Serial Number of the certificate
23
+ # - X-Client-Verify:
24
+ # - SUCCESS if a certificate was supplied that was signed by the CA.
25
+ # - FAILED if a certificate was supplied that was not signed by the CA.
26
+ # - NONE if no certificate was supplied
27
+ # - X-Client-Raw-Cert: the raw (PEM) version of the supplied certificate
28
+ set :nginx_use_client_ssl, false
29
+ set :nginx_ssl_client_ca, '' # the location of the root CA (on server)
21
30
  set :nginx_ssl_cert, -> { nginx_default_ssl_cert_file_name }
22
31
  set :nginx_ssl_cert_key, -> { nginx_default_ssl_cert_key_file_name }
23
32
  set :nginx_ssl_cert_path, -> { nginx_default_ssl_cert_file_path }
@@ -33,11 +42,11 @@ namespace :load do
33
42
  end
34
43
 
35
44
  namespace :nginx do
36
-
37
45
  task :defaults do
38
46
  on roles :web do
39
47
  set :nginx_server_name, fetch(:nginx_server_name, host.to_s)
40
48
  set :nginx_server_port, fetch(:nginx_server_port, 80)
49
+ set :nginx_server_ssl_ports, fetch(:nginx_server_ssl_ports, [443])
41
50
  end
42
51
  end
43
52
 
data/lib/capistrano/unicorn_nginx/version.rb CHANGED
@@ -1,5 +1,5 @@
1
1
  module Capistrano
2
2
  module UnicornNginx
3
- VERSION = '4.2.0'.freeze
3
+ VERSION = '5.0.0'.freeze
4
4
  end
5
5
  end
data/lib/generators/capistrano/unicorn_nginx/templates/_default_server_directive.erb CHANGED
@@ -1,24 +1,14 @@
1
- <% if fetch(:nginx_use_ssl) && nginx_pass_ssl_client_cert -%>
2
- # source: http://forum.nginx.org/read.php?2,236546,236596
3
- map $ssl_client_raw_cert $a {
4
- "~^(-.*-\n)(?<1st>[^\n]+)\n((?<b>[^\n]+)\n)?((?<c>[^\n]+)\n)?((?<d>[^\n]+)\n)?((?<e>[^\n]+)\n)?((?<f>[^\n]+)\n)?((?<g>[^\n]+)\n)?((?<h>[^\n]+)\n)?((?<i>[^\n]+)\n)?((?<j>[^\n]+)\n)?((?<k>[^\n]+)\n)?((?<l>[^\n]+)\n)?((?<m>[^\n]+)\n)?((?<n>[^\n]+)\n)?((?<o>[^\n]+)\n)?((?<p>[^\n]+)\n)?((?<q>[^\n]+)\n)?((?<r>[^\n]+)\n)?((?<s>[^\n]+)\n)?((?<t>[^\n]+)\n)?((?<v>[^\n]+)\n)?((?<u>[^\n]+)\n)?((?<w>[^\n]+)\n)?((?<x>[^\n]+)\n)?((?<y>[^\n]+)\n)?((?<z>[^\n]+)\n)?(-.*-)$" $1st;
5
- }
6
- <% end -%>
7
-
8
1
  server {
9
2
  <% if fetch(:nginx_use_ssl) -%>
10
- <% if fetch(:nginx_use_http2) -%>
11
- listen <%= ssl_port %> http2;
12
- <% elsif fetch(:nginx_use_spdy) -%>
13
- listen <%= ssl_port %> spdy;
14
- <% else -%>
15
- listen <%= ssl_port %>;
3
+ <% fetch(:nginx_server_ssl_ports).each do |port| -%>
4
+ listen <%= port %> <%= 'http2' if fetch(:nginx_use_http2)-%>;
16
5
  <% end -%>
17
6
  ssl on;
18
7
  ssl_certificate <%= nginx_ssl_cert_file %>;
19
8
  ssl_certificate_key <%= nginx_ssl_cert_key_file %>;
20
9
  <% if fetch(:nginx_use_client_ssl) -%>
21
10
  ssl_trusted_certificate <%= nginx_ssl_client_ca %>;
11
+ ssl_verify_client optional_no_ca;
22
12
  <% end -%>
23
13
 
24
14
  ssl_session_cache shared:SSL:10m;
@@ -38,10 +28,6 @@ server {
38
28
 
39
29
  add_header X-Content-Type-Options nosniff;
40
30
 
41
- <% if fetch(:nginx_use_ssl) && (nginx_pass_ssl_client_cert || fetch(:nginx_use_client_ssl)) -%>
42
- ssl_verify_client optional_no_ca;
43
- <% end -%>
44
-
45
31
  client_max_body_size 4G;
46
32
  keepalive_timeout 10;
47
33
 
@@ -66,11 +52,7 @@ server {
66
52
  proxy_set_header X-Client-Dn $ssl_client_s_dn;
67
53
  proxy_set_header X-Client-Serial $ssl_client_serial;
68
54
  proxy_set_header X-Client-Verify $ssl_client_verify;
69
- <% end -%>
70
-
71
- <% if fetch(:nginx_use_ssl) && nginx_pass_ssl_client_cert -%>
72
- # source: http://forum.nginx.org/read.php?2,236546,236596
73
- proxy_set_header X-Client-Cert $a$b$c$d$e$f$g$h$i$j$k$l$m$n$o$p$q$r$s$t$v$u$w$x$y$z;
55
+ proxy_set_header X-Client-Raw-Cert $ssl_client_raw_cert;
74
56
  <% end -%>
75
57
 
76
58
  proxy_pass http://unicorn_<%= fetch(:nginx_config_name) %>;
data/lib/generators/capistrano/unicorn_nginx/templates/nginx_conf.erb CHANGED
@@ -16,10 +16,4 @@ server {
16
16
  }
17
17
  <% end -%>
18
18
 
19
- <%# render the default server directive. If SSL is enabled, port 443 is used %>
20
- <%= template_to_s("_default_server_directive.erb", ssl_port: 443, nginx_pass_ssl_client_cert: false).to_s %>
21
-
22
- <% if fetch(:nginx_pass_ssl_client_cert) -%>
23
- <%# render the server directive with SSL client certificate authentication enabled on port 444 %>
24
- <%= template_to_s("_default_server_directive.erb", ssl_port: 444, nginx_pass_ssl_client_cert: true).to_s %>
25
- <% end -%>
19
+ <%= template_to_s("_default_server_directive.erb").to_s %>
metadata CHANGED
@@ -1,7 +1,7 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: capistrano-unicorn-nginx
3
3
  version: !ruby/object:Gem::Version
4
- version: 4.2.0
4
+ version: 5.0.0
5
5
  platform: ruby
6
6
  authors:
7
7
  - Ruben Stranders